Federal Cybersecurity R&D

Focus Questions for this Section: Should there be a private sector organization to act as a partner to the public sector in a continuing game-change process? What mechanisms would support a sustainable process to drive change envisioned by the three themes?

Views: 212

Reply to This

Replies to This Discussion

Regarding the Seed Stage of game-changing innovation, I suggest that NITRD take action immediately to provide "seed capital" to people and organizations that can support and orchestrate cross-organization research teams in the months before funded research opportunities appear.

(The ideas here are elaborated in my letter to the CSIS commission: http://meritology.com/resources/CSIS-Cyber.pdf, especially pages 4-9.)

Currently, I think we are poorly organized to support the Seed Stage. NITRD is implicitly expecting that organizations and individuals will invest serious time and energy, and will be willing to make collaboration commitments long before any funded projects opportunities appear. In my experience, this won't happen. The opportunities only become "real" when the funding and sponsorship appears.

Furthermore, there is no "center of gravity" for R&D collaboration, even to get ideas and projects formulated. By "center of gravity", I mean institution(s) that provide the resources, legitimacy, and long-term commitment necessary to attract people and organizations to the cause.

Without a good support for the Seed Stage, game-changing innovation ideas will never get to the project stage. Instead, it will be "business as usual" -- short-term, incremental projects with limited cross-organization collaboration.

What we need are ways to get innovation projects started NOW while they are still vague ideas, and not years from now when the solicitations and BAAs finally arrive. I suggest that we should create "Innovation Incubators" and "Innovation Orchestrators". NITRD agencies can help by providing funding (<$1 million), support, and legitimacy. What's important is that these are non-governmental catalysts to get innovative ideas off the ground. You might call them "idea capitalists". (CommerceNet coined this term.)

"Innovation Incubators" are similar to new venture incubators in that they provide a home for people or teams while they are in the early stages of innovation -- formulating ideas and projects, recruiting teams, etc. While this is common in the world of venture capital, the business model has only recently been applied to invention and innovation (pre-product).

Perhaps the best example is Intellectual Ventures (http://intellectualventures.com), founded by Nathan Myhrvold. For an excellent article describing this business model, see this HBR article: https://archive.harvardbusiness.org/cla/web/pl/product.seam?c=3113&... and also this podcast: http://blogs.hbr.org/ideacast/2010/02/reinventing-invention.html . Of course, their business model doesn't apply exactly because they monetize intellectual property (a.k.a. invention). However, if you substitute the word "innovation" for "invention" in their description, I think you'll find that many elements of the model apply.

In fact, Intellectual Ventures might be interested in hosting such an incubator for cybersecurity R&D. Here's their page for "sponsored invention", including the contact information for the VP of business development: http://intellectualventures.com/Libraries/General/IV_Sponsored_Inve...

"Innovation Orchestrators" are individuals or organizations that are dedicated to organizing cross-organization, cross-discipline, and cross-sector research teams. Their main contribution happens in the 3- to 12-months that it takes to organize such teams and to formulate specific research proposals. They personify the "center of gravity" for potential collaborators and sustain the seedling collaborations before long-term funding is in place. They may or may not take a role in the research projects themselves. Innovation Orchestrators could be hosted anywhere, but it might make most sense if they are hosted (and funded) through recognized non-profit organizations. I have an extended blog post on this topic: http://newschoolsecurity.com/2010/03/everybody-complains-about-lack...

There are existing non-profit organizations that might be good hosts for Innovation Orchestrators, including:

• Center for Internet Security
• Security Innovation Network (SINET)
• European Network and information Security Agency (ENISA)

Funding for Orchestrators could be in the form of a 12-month to 24-month fellowship. (CommerceNet has had such a fellowship program in the past http://www.commerce.net) Additional funding could be used by the Orchestrators as small grants to individuals and organizations to support seed-stage activities. (CommerceNet calls this "idea capitalism")

I also suggest that you look at Gene Spafford's white paper, which proposes a similar concept which he calls "Information Security and Privacy Extended Grant": http://transfer.spaf.us/is-prop.pdf .

Most important: these are steps that can be taken NOW that will generate productive action toward game-changing R&D.
Any sort of well-managed means for individuals to find each other and discover common interests would be helpful. Years ago, there was a web site for SBIR information, run for the government by a contractor, that included a discussion forum that permitted people to post... when the site became SBIR.gov, that feature was scuttled, and a lot of functionality was lost.
Very good post and references. Note that in the HBR podcast Nathan Myhrvold distinguishes between invention (his business) and innovation (something more mundane). Innovation incubators provide a better fit for a Federally sponsored program, and any incidental inventions will be free to the government.

Here is an interesting blog post by a Forrester analyst regarding the ecosystem of innovation services providers in the context of commercial R&D:


(His final report will probably be available to subscribers or for purchase with a one-time fee.)

This analysis does not exactly cover the research-heavy scenario that we are facing. Even so, it would be enlightening reading for anyone not familiar with innovation ecosystems and various service provider models.
"Should there be a private sector organization to act as a partner to the public sector in a continuing game-change process? "

I realize that the other participants in this forum who make a living in cyber security will hate me for saying what I am about to say but, in my opinion, the answer is categorically no. The reason is simple. The private security industry is in the business of making money and their goal is to remain in business for as long as possible. They have no interest in seeing a final comprehensive solution to the problem because such a solution would put them out of business.

"What mechanisms would support a sustainable process to drive change envisioned by the three themes?"

The cyber security crisis is a national issue with serious consequences for both the military and the economy. I believe that the federal government should set up a distinct and focused lab and hire researchers who are hellbent on solving this problem once and for all. The only way to properly motivate this breed of researchers is to offer them a special reward that is contingent upon their success: a guaranteed income for life. After all, who would want to work on a project that threatens to make one's livelihood obsolete, without some sort of long-term guarantee?
Private sector organizations include but are not limited to the private security industry. For example, Internet Service Providers and application developers may be interested in solving cybersecurity issues as much as the government is.

I agree. They, too, should join the government in trying to find a final solution. They certainly should not put their faith in the security industry to solve their problems once and for all. Costly band-aid remedies such as some of the ideas I've seen being proposed here are just not going to cut it. Only a complete final cure is acceptable. Anything else means we're back to the same old stuff, always on the brink, and never knowing when something nasty and painful is going to happen.

The private sector should consider trying a new approach. Maybe a partially government-funded organization can be set up to offer an X-Prize or something of that nature. Any way you look at it, nobody is going to make a dent in this problem unless the incentive to do so is big enough to encourage people to make a serious effort at it. It must be worth our while.

As Louis put it succinctly we all know the problem..we all know the path to a real solution, we all know its not going to happen and we all need to show that we at least tried...

The internet was built for open, insecure, fast, trustworthy communication between researchers. Nothing more.

It would have been better for them to ask for the mathematical proof that the internet can never be secured. It would be a hell of a lot quicker, personally i challenge the brains out there to finally give it to them, so i can go to sleep and whenever they pull this crap out again just show them the proof.

The point about research, money, public -private partnership is all MOOT, has been moot and will always be moot with the current internet.

The problem is as we have shown they know this, but they have to be shown to be doing something. Personally if I were the heads of the G6 and read this....which they will never be told...ever I would all get together and finally do something about it.

The PROBLEM IS you have organisations like the federal government in the way of progress... as usual.

Ground up you need a secure,safe computer and infrastructure set-up. Its not rocket science after-all.

It might be once this process is complete, lessons learned could be retrofitted to our current system. But i doubt anyone will be able to envisage all the ingredients with out creating the pie.
Having SBIR/STTR topics would be a good idea. Also looking for ways to put in place standards and independent testing.
I think Russell makes some excellent points but there are still pieces missing.

First, there is a void in terms of ultimate leadership. Whether it comes from government, military or private sector, perhaps there has to be some person or body with authority and budget to take the reins and say here is what we need to do and here is how where going to do it, recruiting the best minds from the private sector for each piece of the puzzle. Whether a "Manhattan Project" style of approach is right, no one can be sure, but it seems that throwing tons of money at researchers and waiting to see what "bubbles up to the surface" is no guarantee of results in the short term, or ever. I am not sure that leadership by committee really cuts it.

Russell makes great points about seed funding but there is also another stage that is lacking. I am not the only person to notice that government and DoD lacks a central clearing house of (new) technologies and what seems to work. It would seem logical that if time is a factor, then building on what seems to be working might be important. Seeding new ideas is great for basic research. But applied research is the next stage and there needs to be a repository of what seems to have merit, matched to volunteer/designated, test/pilot trials and written up as case studies so that follow-on funding can result in areas with potential merit. If something is an improvement or seems to work, build on it.
@Rob -- your points are valid, especially regarding the void of leadership. But we may disagree on what sort of leadership is required and how to bring it forward.

You say: "...perhaps there has to be some person or body with authority and budget to take the reins and say here is what we need to do and here is how where going to do it, recruiting the best minds from the private sector for each piece of the puzzle." Let's call this the "Mega-program Model" because it features top-down leadership and funding. Famous examples include the Manhatten Project and the Apollo Program.

There is reason to believe that the Mega-program Model won't work in the general case of cyber security R&D, though it might work in a focused subset. I believe it won't work in the Cyber Economic Incentives theme, in particular. For a thorough policy analysis of the Mega-program Model see this report from the Congressional Research Service: http://www.fas.org/sgp/crs/misc/RL34645.pdf . They evaluate this Model relative to Energy R&D instead of Cyber Security R&D, but the two domains share many similar characteristics from an R&D perspective.

Regarding the need for other stages in the "Sustaining Processes", I strongly agree. That's why I qualified my comments to say they applied to the "seed stage" only. I have other ideas about later stages, but they aren't worked out yet so I haven't posted anything.

There is already some activity to bring new security technology solutions and technologies into the Federal Agencies, spearheaded by the Security Innovation Network http://www.security-innovation.org/ . More could be done, certainly, but this alone won't lead to game-changing innovation. It could increase the incentives and payoff for certain technologies, products, or services.

But the whole cyber security R&D ecosystem may need to be reconfigured because the Vannevar Bush model (basic research -> applied research --> commercialization; http://www.nsf.gov/od/lpa/nsf50/vbush1945.htm#ch3.3) is probably not well suited for these game-changing themes. Leadership may need to come from the "middle-out" rather than top-down or bottom-up (individual researchers). By "middle-out" I mean loose coalitions of program managers, directors, and other middle managers collaborating across organizations and sectors. In particular, we may need research leadership from downstream people and organizations -- "customer-led innovation".

Lastly, I definitely am not suggesting "throwing tons of money" at researchers or anyone else. Some "loose money" will be needed in the seed stage, and maybe other stages, but in the grand scheme it's really a small amount to support sufficient "bubbling up" to break out of the limits of existing organizational, discipline, and professional "boxes".

@Victoria -- thanks for your supportive comments. You've added valuable clarifications and emphasis. Yes, I'm definitely suggesting innovation in the process of R&D funding, collaboration, and management.
Consider two extreme approaches:
(1) provide funds to premier institutions with a clear goal of solving the three game-changing themes, and
(2) throw money at everybody who happens to comment on the NITRD web site.

In case-1, you eliminate serendipity, end up with mediocre results, make the results presentable, and continue struggling with ever mounting cyber issues.

In case-2, you get too much serendipity but few means of making sense out of it.

The approach proposed by Russell is itself an invention, an invention of a process that matches the task. It walks a fine line between cases 1 and 2, trying to address obvious objections by building upon existing successful models. The components of Russell's invention include:
- Venture Capital-like approach using VC experience of betting on serendipity
- sponsoring groups with good track record such as Intellectual Ventures
- orchestration
- and ultimately catching Nassim Taleb's positive Black Swans.


Affiliation note: I am a federal employee and not looking for funds.


© 2014   Created by NITRD Cyber Security.

Badges  |  Report an Issue  |  Terms of Service